[jboss-jira] [JBoss JIRA] Created: (JBWEB-103) Tomcat 5.5.26 Security Vulnerability Fixes
Mike Millson (JIRA)
jira-events at lists.jboss.org
Thu Mar 20 11:14:53 EDT 2008
Tomcat 5.5.26 Security Vulnerability Fixes
------------------------------------------
Key: JBWEB-103
URL: http://jira.jboss.com/jira/browse/JBWEB-103
Project: JBoss Web
Issue Type: Bug
Security Level: Public (Everyone can see)
Components: Core
Reporter: Mike Millson
Assigned To: Jean-Frederic Clere
Tomcat 5.5.26 addressed the following security vulnerabilities[1]:
1) Session hi-jacking CVE-2007-5333
This is not recommended at this time because it causes a regression.[2]
2) Elevated privileges CVE-2007-5342
This does not apply because JBoss AS does not use JULI logging.
3) Information disclosure CVE-2007-5461
This needs to be applied.
4) Data integrity CVE-2007-6286
This has already been addressed. The fix is included in the latest JBoss Native source and binaries.[3]
The fix for CVE-2007-5461 needs to be applied to the affected JBoss AS 4.0.x releases[4].
[1]http://tomcat.apache.org/security-5.html
[2]http://www.mail-archive.com/dev@tomcat.apache.org/msg23356.html
[3]http://labs.jboss.com/jbossweb/downloads/jboss-native/
[4]http://wiki.jboss.org/wiki/Wiki.jsp?page=VersionOfTomcatInJBossAS
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list